Security warnings: missing 'Secure' and 'HttpOnly' cookie attribute

[jussara-ti]

Hello!

I scanned my network searching for security reports, then I received the following relatory, with 2 security vulnerabilities from TeamPass host:
Missing 'Secure' Cookie Attribute (HTTP): The remote HTTP web server / application is missing to set the 'Secure' cookie attribute for one or more sent HTTP cookie.
Missing 'HttpOnly' Cookie Attribute (HTTP): The remote HTTP web server / application is missing to set the 'HttpOnly' cookie attribute for one or more sent HTTP cookie.

I already implemented this; set session.cookie_secure and session.cookie_httponly on php.ini to 1; added the lines init_set('session.cookie_httponly', 1); and init_set('session.cookie_secure', 1); in teampass/index.php; added the lines define('SESSION.COOKIE_HTTPONLY', true); and define('SESSION.COOKIE_SECURE', true); in teampass/includes/config/include.php and nothing... I'm still with the same security warnings.

When I inspect the TeamPass page, I can see that the teampass_session cookie is set with HttpOnly and Secure True, but there are other cookies that aren't.

Someone know how to fix this? Am I doing something wrong?

[nilsteampassnet]

@jussara-ti
Yes you are right.
I will check to improve jstree_select cookie security.
Nevertheless, notice that this cookie only contains the ID of the last folder the user has opened.

[jussara-ti]

Ok, I got it
Thanks!

[jussara-ti]

About the security warnings, they were more about the web server than Teampass itself. I corrected them adding the following line in apache configuration file (apache2.conf): Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
With this, all cookies sent by the http server will have the "HttpOnly" and "Secure" atributes